SMS 2-Factor auth is not secure, because the phone networks are not secure. The telecoms company reps are easily social engineered, the network layers are ridiculously insecure, the actual mobile communications are easily attacked by sufficiently motivated entities. You pick a layer of the stack, you can probably find an easy attack.

No one should be using SMS codes as a 2-factor authentication method in 2017, but here we are.

The author admits it, but it’s worth reiterating that if you don’t have the private key to the address with the BTC, you don’t actually own the BTC. At minimum, exchanges should implement multisig with the user holding part of the key.

Verizon would seem to have quite the liability here. Ironically maybe more because of the text. “Hey, we got fooled, nothing we could do.” That’s one defense, maybe. But sending a text “hey, you’re getting hacked, call us back.” And then not answering the phone? Never a good look to know something is wrong and proceed recklessly.

Ok, but how do we proceed from here? Assuming most people want or should have secure text communications, should we create a secure SMS 2.0 or drop it in favour of HTTPS chat/email? Could a company do a blackberry these days and have their own SMS network? These days if you have a SIM card you generally have some sort of data on it anyway, is there much point to insecure SMS any more? Should we we drop phone numbers while we are it to and just use VoIP and IM/email?

Lesson 1: If you don’t have sole access to the private key, they aren’t your Bitcoins. This is one of the reasons Bitcoin was created. You have the power to take full control; use it. Put effort into your security proportional to your exposure. $8000 in Bitcoin and misc. altcoins should warrant at least a password-protected backed-up local wallet. Use your phone; there are easy apps for this. Mycelium, breadwallet, etc.

Lesson 2: Never use SMS auth. Only use authentication based on well-reviewed cryptosystems. Humans, and systems easily controlled by humans, cannot be trusted. TOTP is fine, U2F is better. Closed source solutions like Duo are an acceptable compromise.

They do provide insurance: https://xapo.com/terms/, though only for things related to the company, not failures on the users fault:

The Xapo Bitcoin Reserve is designed to cover direct and effective losses suffered by users as a result of attacks of hackers to our systems, theft by any third party and/or Xapo employee from our systems or facilities, break-ins at a physical location of our vaults, and/or our bankruptcy, which are not due to or related to your acts, omissions or errors (“Qualifying Losses”).

What exactly are you looking for? FDIC insurance? I don’t think the US government is ever going to insure a competing currency.

There are risks to action and risks to inaction. Keeping your bitcoin on a piece of paper under your mattress is also dangerous - the primary danger, at least with bitcoin, being you’d lose the private key…

For this particular case Xapo requires 24 hours to reset a password and sends a bunch of warnings before they do it.

Given the history of Bitcoin markets, I wouldn’t keep any money in any of them that you aren’t planning on trading right now. So many of them have been hacked or have the founders mysteriously disappear with the money.

One alternative is Blockchain wallet (https://blockchain.info/) This site cannot reset your password because your password ultimately secures your wallet’s private key. This means that the service is as secure as your password, which could be considered a “secure alternative to Coinbase”. Note that this does not include ethereum or litecoin wallets, nor an exchange though.

Coinbase also claims to have FDIC insured deposits for its US customers (but only for the USD balance), so that can be a real advantage over other exchanges at least. They’re also insured against theft/security failures (their policy would probably be detailed enough to exclude OP’s problem).